A Guide for First Responders · Project Engineer National Law Enforcement and Corrections...

U.S. Department of Justice

Office of Justice Programs

National Institute of Justice

A Guide for First Responders

NIJ Guide

U.S. Department of JusticeOffice of Justice Programs810 Seventh Street N.W.Washington, DC 20531

John AshcroftAttorney General

Office of Justice Programs National Institute of JusticeWorld Wide Web Site World Wide Web Site http://www.ojp.usdoj.gov http://www.ojp.usdoj.gov/nij

Cover photographs copyright © 2001 PhotoDisc, Inc.

Elec

tro

nic

Cri

me

Scen

e

i

Electronic Crime SceneInvestigation:A Guide for FirstResponders

Written and Approved by the Technical Working Group for Electronic Crime Scene Investigation

July 2001

U.S. Department of JusticeOffice of Justice ProgramsNational Institute of Justice

Opinions or points of view expressed in this document represent a consensus of theauthors and do not necessarily represent the official position or policies of the U.S.Department of Justice. The products and manufacturers discussed in this document arepresented for informational purposes only and do not constitute product approval orendorsement by the U.S. Department of Justice.

NCJ 187736

The National Institute of Justice is a component of the Office of Justice Programs,which also includes the Bureau of Justice Assistance, the Bureau of JusticeStatistics, the Office of Juvenile Justice and Delinquency Prevention, and theOffice for Victims of Crime.

iiii

This document is not intended to create, does not create, and may not be relied upon tocreate any rights, substantive or procedural, enforceable at law by any party in any mat-ter civil or criminal.

The Internet, computer networks, and automated data systemspresent an enormous new opportunity for committing criminalactivity. Computers and other electronic devices are being usedincreasingly to commit, enable, or support crimes perpetratedagainst persons, organizations, or property. Whether the crimeinvolves attacks against computer systems, the information theycontain, or more traditional crimes such as murder, money laun-dering, trafficking, or fraud, electronic evidence increasingly isinvolved. It is no surprise that law enforcement and criminal jus-tice officials are being overwhelmed by the volume of investiga-tions and prosecutions that involve electronic evidence.

To assist State and local law enforcement agencies and prosecu-torial offices with the growing volume of electronic crime, aseries of reference guides regarding practices, procedures, anddecisionmaking processes for investigating electronic crime isbeing prepared by technical working groups of practitioners andsubject matter experts who are knowledgeable about electroniccrime. The practitioners and experts are from Federal, State, andlocal law enforcement agencies; criminal justice agencies; officesof prosecutors and district attorneys general; and academic, com-mercial, and professional organizations.

The series of guides will address the investigation process fromthe crime scene first responder, to the laboratory, to the court-room. Specifically, the series of guides will address:

◆ Crime scene investigations by first responders.

◆ Examination of digital evidence.

◆ Investigative uses of technology.

◆ Investigating electronic technology crimes.

◆ Creating a digital evidence forensic unit.

◆ Courtroom presentation of digital evidence.

Due to the rapidly changing nature of electronic and computertechnologies and of electronic crime, efforts will be periodicallyundertaken to update the information contained within each ofthe guides. The guides, and any subsequent updates that are madeto them, will be made available on the National Institute ofJustice’s World Wide Web site (http://www.ojp.usdoj.gov/nij).

iii

Fore

wo

rd

Technical Work ing Group forElectronic Crime SceneInvestigationThe Technical Working Group for Electronic Crime SceneInvestigation (TWGECSI) was a multidisciplinary group of practi-tioners and subject matter experts from across the United States andother nations. Each of the individual participants is experienced inthe intricacies involved with electronic evidence in relation to recog-nition, documentation, collection, and packaging. To initiate theworking group, a planning panel composed of a limited number of participants was selected to define the scope and breadth of thework. A series of guides was proposed in which each guide willfocus on a different aspect of the discipline.

The panel chose crime scene investigation as the first topic forincorporation into a guide.

Planning Panel

v

TWG

ECSI

v

Susan BallouProgram Manager for Forensic

SciencesOffice of Law Enforcement StandardsNational Institute of Standards and

TechnologyGaithersburg, Maryland

Jaime CarazoSpecial AgentUnited States Secret ServiceElectronic Crimes BranchWashington, D.C.

Bill CraneAssistant DirectorComputer Crime SectionNational White Collar Crime CenterFairmont, West Virginia

Fred DemmaNational Law Enforcement and

Corrections Technology Center–Northeast

Rome, New York

Grant GottfriedSpecial ProjectsNational Center for Forensic ScienceOrlando, Florida

Sam GuttmanAssistant Inspector in ChargeForensic and Technical ServicesU.S. Postal Inspection ServiceDulles, Virginia

Jeffrey HerigSpecial AgentFlorida Department of Law

EnforcementFlorida Computer Crime CenterTallahassee, Florida

Tim HutchisonSheriffKnox County Sheriff’s OfficeKnoxville, Tennessee

David IcoveManager, Special ProjectsU.S. TVA PoliceKnoxville, Tennessee

vi

Abigail AbrahamAssistant State’s AttorneyCook County State’s Attorney’s OfficeChicago, Illinois

Keith AckermanHead of CIDPolice HQHampshire ConstabularyWinchester, HantsUnited Kingdom

Michael AndersonPresidentNew Technologies, IncGresham, Oregon

Bill BaughCEOSavannah Technology GroupSavannah, Georgia

Bob JarzenSacramento CountyLaboratory of Forensic ScienceSacramento, California

Tom JohnsonDeanSchool of Public Safety and

Professional StudiesUniversity of New HavenWest Haven, Connecticut

Karen MatthewsDOE Computer Forensic LaboratoryBolling AFBWashington, D.C.

Mark PollittUnit ChiefFBI–CARTWashington, D.C.

David PooleDirectorDoD Computer Forensics LaboratoryLinthicum, Maryland

Mary RileyPrice Waterhouse Coopers, LLPWashington, D.C.

Kurt SchmidDirectorNational HIDTA ProgramWashington, D.C.

Howard A. SchmidtCorporate Security OfficerMicrosoft Corp.Redmond, Washington

Raemarie SchmidtComputer Crime SpecialistNational White Collar Crime CenterComputer Crime SectionFairmont, West Virginia

Carl SelavkaMassachusetts State Police Crime

LaboratorySudbury, Massachusetts

Steve SepulvedaUnited States Secret ServiceWashington, D.C.

Todd ShipleyDetective SergeantReno Police DepartmentFinancial/Computer Crimes UnitReno, Nevada

Chris StippichComputer Crime SpecialistComputer Crime SectionNational White Collar Crime Center Fairmont, West Virginia

Carrie Morgan WhitcombDirectorNational Center for Forensic ScienceOrlando, Florida

Wayne WilliamsSr. Litigation CounselComputer Crime and Intellectual

Property SectionCriminal DivisionU.S. Department of JusticeWashington, D.C.

TWGECSI Members

Additional members were then incorporated into TWGECSI toprovide a full technical working group. The individuals listedbelow, along with those participants on the planning panel,worked together to produce this guide for electronic crime scene first responders.

vii

Randy BishopSpecial Agent in ChargeU.S. Department of EnergyOffice of Inspector GeneralTechnology Crime SectionWashington, D.C.

Steve BraniganVice President of Product

DevelopmentLucent TechnologiesMurray Hill, New Jersey

Paul BrownCyberEvidence, Inc.The Woodlands, Texas

Carleton BryantStaff AttorneyKnox County Sheriff’s OfficeKnoxville, Tennessee

Christopher BubbDeputy Attorney GeneralNew Jersey Division of Criminal

JusticeTrenton, New Jersey

Don BuchwaldProject EngineerNational Law Enforcement and

Corrections Technology Center–West

The Aerospace CorporationLos Angeles, California

Cheri CarrComputer Forensic Lab ChiefNASA Office of the Inspector GeneralNetwork and Advanced Technology

Protections OfficeWashington, D.C.

Nick CartwrightManagerCanadian Police Research CentreOttawa, OntarioCanada

Ken CitarellaChiefHigh Tech Crimes BureauWestchester County District AttorneyWhite Plains, New York

Chuck CoeDirector of Technical ServicesNASA Office of the Inspector GeneralNetwork and Advanced Technology


Fred CohenSandia National LaboratoriesCyber Defender ProgramLivermore, California

Fred CottonDirector of Training ServicesSEARCHThe National Consortium for Justice

Information and StatisticsSacramento, California

Tony CrispLieutenantMaryville Police DepartmentMaryville, Tennessee

Mark DaleNew York State PoliceForensic Investigation CenterAlbany, New York

Claude DavenportSenior SAUnited States Customs ServiceSterling, Virginia

David DaviesPhotographic ExaminerFederal Bureau of InvestigationWashington, D.C.

Michael DonhauserMaryland State PoliceColumbia, Maryland

James DoyleSergeantDetective BureauNew York City Police DepartmentNew York, New York

Michael DuncanSergeantRoyal Canadian Mounted PoliceEconomic Crime BranchTechnological Crime SectionOttawa, OntarioCanada

Jim DunneGroup SupervisorDrug Enforcement AgencySt. Louis, Missouri

Chris DuqueDetectiveHonolulu Police DepartmentWhite Collar Crime UnitHonolulu, Hawaii

Doug ElrickIowa DCI Crime LabDes Moines, Iowa

Paul FrenchComputer Forensics Lab ManagerNew Technologies Armor, Inc.Gresham, Oregon

viii

Gerald FriesenElectronic Search CoordinatorIndustry CanadaHull, QuebecCanada

Pat Gilmore, CISSPDirectorInformation Security Atomic TangerineSan Francisco, California

Gary GordonProfessorEconomic Crime ProgramsUtica CollegeWetStone TechnologiesUtica, New York

Dan HenryChief DeputyMarion County Sheriff’s DepartmentOcala, Florida

Jeff HormannSpecial Agent In ChargeComputer Crime Resident AgencyU.S. Army CIDFt. Belvoir, Virginia

Mary HorvathProgram ManagerFBI–CARTWashington, D.C.

Mel JoinerOfficerArizona Department of Public SafetyPhoenix, Arizona

Nigel JonesDetective SergeantComputer Crime UnitPolice HeadquartersKent County ConstabularyMaidstone, KentUnited Kingdom

Jamie KerrSGT/Project ManagerRCMP HeadquartersTraining DirectorateOttawa, OntarioCanada

Alan KestnerAssistant Attorney GeneralWisconsin Department of JusticeMadison, Wisconsin

Phil KiracofeSergeantTallahassee Police DepartmentTallahassee, Florida

Roland LascolaProgram ManagerFBI-CARTWashington, D.C.

Barry LeeseDetective SergeantMaryland State PoliceComputer Crimes UnitColumbia, Maryland

Glenn LewisComputer SpecialistSEARCHThe National Consortium for Justice


Chris MalinowskiForensic Computer InvestigationUniversity of New HavenWest Haven, Connecticut

Kevin MansonDirectorCybercop.orgSt. Simons Island, Georgia

Brenda MaplesLieutenantMemphis Police DepartmentMemphis, Tennessee

Tim McAuliffeNew York State PoliceForensic Investigation CenterAlbany, New York

Michael McCartneyInvestigatorNew York State Attorney General’s

OfficeCriminal Prosecution Bureau–

Organized Crime Task ForceBuffalo, New York

Alan McDonaldSSAWashington, D.C.

Mark MenzSEARCHThe National Consortium for Justice


Dave MerkelAOL InvestigationsReston, Virginia

Bill MoylanDetectiveNassau County PDComputer Crime SectionCrimes Against Property SquadWestbury, New York

ix

Steve NesbittDirector of OperationsNASA Office of the Inspector GeneralNetwork and Advanced Technology


Glen NickProgram ManagerU.S. Customs ServiceCyber Smuggling CenterFairfax, Virginia

Robert O’LearyDetectiveNew Jersey State PoliceHigh Technology Crimes &

Investigations Support UnitWest Trenton, New Jersey

Matt ParsonsSpecial Agent/Division ChiefNaval Criminal Investigative ServiceWashington, D.C.

Mike PhelanChiefComputer Forensics UnitDEA Special Testing and Research

LabLorton, Virginia

Henry R. ReeveGeneral Counsel/Deputy D.A.Denver District Attorney’s OfficeDenver, Colorado

Jim Riccardi, Jr.Electronic Crime SpecialistNational Law Enforcement and

Corrections Technology Center–Northeast

Rome, New York

David RobertsDeputy Executive DirectorSEARCHThe National Consortium for Justice


Leslie RussellForensic Science ServiceLambethLondon, EnglandUnited Kingdom

Greg SchmidtSr. Investigator EDS-Investigations/Technical Plano, Texas

George SidorLaw Enforcement Security ConsultantJaws Technologies Inc.St. Albert, AlbertaCanada

William SpernowCISSPResearch DirectorInformation Security Strategies GroupGartner, Inc.Suwanee, Georgia

Ronald StevensSenior InvestigatorNew York State PoliceForensic Investigation CenterAlbany, New York

Gail ThackeraySpecial Counsel–Technology CrimesArizona Attorney General’s OfficePhoenix, Arizona

Dwight Van de VateChief DeputyKnox County Sheriff’s OfficeKnoxville, Tennessee

Jay VerhorevoortLieutenantDavenport Police DepartmentDavenport, Iowa

Richard Vorder BrueggePhotographic ExaminerFederal Bureau of InvestigationWashington, D.C.

Robert B. WallaceU.S. Department of EnergyGermantown, Maryland

Craig WilsonDetective SergeantComputer Crime UnitPolice HeadquartersKent County ConstabularyMaidstone, KentUnited Kingdom

Brian ZwitChief Counsel (former)Environment, Science, and TechnologyNational Association of Attorneys

General Washington, D.C.

x

Chronology

In May 1998, the National Cybercrime Training Partnership(NCTP), the Office of Law Enforcement Standards (OLES), andthe National Institute of Justice (NIJ) collaborated on possibleresources that could be implemented to counter electronic crime.Continuing meetings generated a desire to formulate one set ofprotocols that would address the process of electronic evidencefrom the crime scene through court presentations. NIJ selectedthe technical working group process as the way to achieve thisgoal but with the intent to create a publication flexible enough toallow implementation with any State and local law enforcementpolicy. Using its “template for technical working groups,” NIJestablished the Technical Working Group for Electronic CrimeScene Investigation (TWGECSI) to identify, define, and establishbasic criteria to assist agencies with electronic investigations andprosecutions.

In January 1999, planning panel members met at the NationalInstitute of Standards and Technology (NIST) in Gaithersburg,Maryland, to review the fast-paced arena of electronic crime andprepare the scope, intent, and objectives of the project. Duringthis meeting, the scope was determined to be too vast for incor-poration into one guide. Thus evolved a plan for several guides,each targeting separate issues. Crime scene investigation wasselected as the topic for the first guide.

The initial meeting of the full TWGECSI took place March 1999at NIST. After outlining tasks in a general meeting, the groupseparated into subgroups to draft the context of the chapters asidentified by the planning panel. These chapters were ElectronicDevices: Types and Potential Evidence; Investigative Tools andEquipment; Securing and Evaluating the Scene; Documentingthe Scene; Evidence Collection; Packaging, Transportation, andStorage; and Forensic Examination by Crime Category. Thevolume of work involved in preparing the text of these chaptersrequired additional TWGECSI meetings.

The planning panel did not convene again until May 2000. Dueto the amount of time that had transpired between meetings, theplanning panel reviewed the draft content and compared it withchanges that had occurred in the electronic crime environment.

xi

These revisions to the draft were then sent to the full TWGECSIin anticipation of the next meeting. The full TWGECSI met againat NIST in August 2000, and through 2 days of intense discus-sion, edited most of the draft to represent the current status ofelectronic crime investigation. With a few more sections requir-ing attention, the planning panel met in Seattle, Washington, dur-ing September 2000 to continue the editing process. These finalchanges, the glossary, and appendixes were then critiqued andvoted on by the whole TWGECSI during the final meeting inNovember 2000 at NIST.

The final draft was then sent for content and editorial review tomore than 80 organizations having expertise and knowledge inthe electronic crime environment. The returned comments wereevaluated and incorporated into the document when possible. Thefirst chapter, Electronic Devices: Types and Potential Evidence,incorporates photographic representations of highlighted terms asa visual associative guide. At the end of the document are appen-dixes containing a glossary, legal resources, technical resources,training resources, and references, followed by a list of the organ-izations to which a draft copy of the document was sent.

The National Institute of Justice (NIJ) wishes to thank the members of the Technical Working Group for Electronic CrimeScene Investigation (TWGECSI) for their tireless dedication.There was a constant turnover of individuals involved, mainly as a result of job commitments and career changes. This dynamicenvironment resulted in a total of 94 individuals supplying theirknowledge and expertise to the creation of the guide. All partici-pants were keenly aware of the constant changes occurring in thefield of electronics and strove to update information during eachrespective meeting. This demonstrated the strong desire of theworking group to produce a guide that could be flexible and serveas a backbone for future efforts to upgrade the guide. In addition,NIJ offers a sincere thank you to each agency and organizationrepresented by the working group members. The work loss toeach agency during the absence of key personnel is evidence ofmanagement’s commitment and understanding of the importanceof standardization in forensic science.

NIJ also wishes to thank Kathleen Higgins, Director, and SusanBallou, Program Manager, of the Office of Law EnforcementStandards, for providing management and guidance in bringingthe project to completion.

NIJ would like to express appreciation for the input and supportthat Dr. David G. Boyd, Director of NIJ’s Office of Science andTechnology (OS&T), and Trent DePersia, Dr. Ray Downs, Dr.Richard Rau, Saralyn Borrowman, Amon Young, and JamesMcNeil, all of OS&T, gave the meetings and the document. Aspecial thanks is extended to Aspen Systems Corporation, specifi-cally to Michele Coppola, the assigned editor, for her patienceand skill in dealing with instantaneous transcription.

In addition, NIJ wishes to thank the law enforcement agencies,academic institutions, and commercial organizations worldwidethat supplied contact information, reference materials, and edito-rial suggestions. Particular thanks goes to Michael R. Anderson,President of New Technologies, Inc., for contacting agenciesknowledgeable in electronic evidence for inclusion in the appen-dix on technical resources.

xiii

Ack

no

wle

dg

men

ts

Foreword........................................................................................iii

Technical Working Group for Electronic Crime Scene Investigation ........................................................................v

Acknowledgments ......................................................................xiii

Overview ........................................................................................1

The Law Enforcement Response to Electronic Evidence..........1

The Latent Nature of Electronic Evidence ................................2

The Forensic Process..................................................................2

Introduction ....................................................................................5

Who Is the Intended Audience for This Guide? ........................5

What is Electronic Evidence? ....................................................6

How Is Electronic Evidence Handled at the Crime Scene? ......6

Is Your Agency Prepared to Handle Electronic Evidence?........7

Chapter 1. Electronic Devices: Types and Potential Evidence ......9

Computer Systems....................................................................10

Components..............................................................................12

Access Control Devices............................................................12

Answering Machines................................................................13

Digital Cameras........................................................................13

Handheld Devices (Personal Digital Assistants [PDAs],Electronic Organizers)..............................................................14

Hard Drives ..............................................................................15

Memory Cards..........................................................................15

Modems ....................................................................................16

Network Components ..............................................................16

Pagers ......................................................................................18

Printers......................................................................................18

Removable Storage Devices and Media ..................................19

Scanners....................................................................................19

Telephones................................................................................20

Miscellaneous Electronic Items ..............................................20

xv

Co

nte

nts

xvi

Chapter 2. Investigative Tools and Equipment. ............................23

Tool Kit ....................................................................................23

Chapter 3. Securing and Evaluating the Scene ............................25

Chapter 4. Documenting the Scene ..............................................27

Chapter 5. Evidence Collection....................................................29

Nonelectronic Evidence ..........................................................29

Stand-Alone and Laptop Computer Evidence ........................30

Computers in a Complex Environment....................................32

Other Electronic Devices and Peripheral Evidence ................33

Chapter 6. Packaging, Transportation, and Storage ....................35

Chapter 7. Forensic Examination by Crime Category ................37

Auction Fraud (Online) ............................................................37

Child Exploitation/Abuse ........................................................37

Computer Intrusion ..................................................................38

Death Investigation ..................................................................38

Domestic Violence....................................................................38

Economic Fraud (Including Online Fraud, Counterfeiting) ....38

E-Mail Threats/Harassment/Stalking ......................................39

Extortion ..................................................................................39

Gambling ..................................................................................39

Identity Theft ............................................................................39

Narcotics ..................................................................................40

Prostitution ..............................................................................40

Software Piracy ........................................................................41

Telecommunications Fraud ......................................................41

Appendix A. Glossary ..................................................................47

Appendix B. Legal Resources List ..............................................53

Appendix C. Technical Resources List ........................................55

Appendix D. Training Resources List ..........................................73

Appendix E. References ..............................................................77

Appendix F. List of Organizations ..............................................81

Computers and other electronic devices are present in everyaspect of modern life. At one time, a single computer filled anentire room; today, a computer can fit in the palm of your hand.The same technological advances that have helped law enforce-ment are being exploited by criminals.

Computers can be used to commit crime, can contain evidence ofcrime, and can even be targets of crime. Understanding the roleand nature of electronic evidence that might be found, how toprocess a crime scene containing potential electronic evidence,and how an agency might respond to such situations are crucialissues. This guide represents the collected experience of the lawenforcement community, academia, and the private sector in therecognition, collection, and preservation of electronic evidence ina variety of crime scenes.

The Law Enforcement Response toElectronic Evidence

The law enforcement response to electronic evidence requires thatofficers, investigators, forensic examiners, and managers all playa role. This document serves as a guide for the first responder. Afirst responder may be responsible for the recognition, collection,preservation, transportation, and/or storage of electronic evidence.In today’s world, this can include almost everyone in the lawenforcement profession. Officers may encounter electronicdevices during their day-to-day duties. Investigators may directthe collection of electronic evidence, or may perform the collec-tion themselves. Forensic examiners may provide assistance atcrime scenes and will perform examinations on the evidence.Managers have the responsibility of ensuring that personnel undertheir direction are adequately trained and equipped to properlyhandle electronic evidence.

Each responder must understand the fragile nature of electronicevidence and the principles and procedures associated with itscollection and preservation. Actions that have the potential toalter, damage, or destroy original evidence may be closely scrutinized by the courts.

1

Ove

rvie

w

1

2

Procedures should be in effect that promote electronic crimescene investigation. Managers should determine who will provideparticular levels of services and how these services will be fund-ed. Personnel should be provided with initial and ongoing techni-cal training. Oftentimes, certain cases will demand a higher levelof expertise, training, or equipment, and managers should have aplan in place regarding how to respond to these cases. The demandfor responses to electronic evidence is expected to increase for theforeseeable future. Such services require that dedicated resourcesbe allocated for these purposes.

The Latent Nature of ElectronicEvidence

Electronic evidence is information and data of investigative valuethat is stored on or transmitted by an electronic device. As such,electronic evidence is latent evidence in the same sense that fin-gerprints or DNA (deoxyribonucleic acid) evidence are latent. Inits natural state, we cannot “see” what is contained in the physicalobject that holds our evidence. Equipment and software arerequired to make the evidence visible. Testimony may be requiredto explain the examination process and any process limitations.

Electronic evidence is, by its very nature, fragile. It can bealtered, damaged, or destroyed by improper handling or improperexamination. For this reason, special precautions should be takento document, collect, preserve, and examine this type of evidence.Failure to do so may render it unusable or lead to an inaccurateconclusion. This guide suggests methods that will help preservethe integrity of such evidence.

The Forensic Process

The nature of electronic evidence is such that it poses specialchallenges for its admissibility in court. To meet these challenges,follow proper forensic procedures. These procedures include, butare not limited to, four phases: collection, examination, analysis,and reporting. Although this guide concentrates on the collectionphase, the nature of the other three phases and what happens ineach are also important to understand.

2

3

The collection phase involves the search for, recognition of,collection of, and documentation of electronic evidence. The collection phase can involve real-time and stored information thatmay be lost unless precautions are taken at the scene.

The examination process helps to make the evidence visible andexplain its origin and significance. This process should accom-plish several things. First, it should document the content andstate of the evidence in its totality. Such documentation allows all parties to discover what is contained in the evidence. Includedin this process is the search for information that may be hidden or obscured. Once all the information is visible, the process ofdata reduction can begin, thereby separating the “wheat” from the“chaff.” Given the tremendous amount of information that can bestored on computer storage media, this part of the examination iscritical.

Analysis differs from examination in that it looks at the productof the examination for its significance and probative value to the case. Examination is a technical review that is the provinceof the forensic practitioner, while analysis is performed by theinvestigative team. In some agencies, the same person or groupwill perform both these roles.

A written report that outlines the examination process and thepertinent data recovered completes an examination. Examinationnotes must be preserved for discovery or testimony purposes. Anexaminer may need to testify about not only the conduct of theexamination but also the validity of the procedure and his or herqualifications to conduct the examination.

3

This guide is intended for use by law enforcement and otherresponders who have the responsibility for protecting an electron-ic crime scene and for the recognition, collection, and preserva-tion of electronic evidence. It is not all-inclusive. Rather, it dealswith the most common situations encountered with electronic evi-dence. Technology is advancing at such a rapid rate that the sug-gestions in this guide must be examined through the prism ofcurrent technology and the practices adjusted as appropriate. It isrecognized that all crime scenes are unique and the judgment ofthe first responder/investigator should be given deference in theimplementation of this guide. Furthermore, those responsible offi-cers or support personnel with special training should also adjusttheir practices as the circumstances (including their level of expe-rience, conditions, and available equipment) warrant. This publi-cation is not intended to address forensic analysis. Circumstancesof individual cases and Federal, State, and local laws/rules mayrequire actions other than those described in this guide.

When dealing with electronic evidence, general forensic and procedural principles should be applied:

◆ Actions taken to secure and collect electronic evidence shouldnot change that evidence.

◆ Persons conducting examination of electronic evidence should be trained for the purpose.

◆ Activity relating to the seizure, examination, storage, or transfer of electronic evidence should be fully documented,preserved, and available for review.

Who Is the Intended Audience for This Guide?

◆ Anyone encountering a crime scene that might contain electronic evidence.

◆ Anyone processing a crime scene that involves electronic evidence.

◆ Anyone supervising someone who processes such a crime scene.

◆ Anyone managing an organization that processes such a crime scene.

5

Intr

od

uct

ion

Without having the necessary skills and training, no respondershould attempt to explore the contents or recover data from acomputer (e.g., do not touch the keyboard or click the mouse) orother electronic device other than to record what is visible on itsdisplay.

What Is Electronic Evidence?

Electronic evidence is information and data of investigative valuethat is stored on or transmitted by an electronic device. Such evi-dence is acquired when data or physical items are collected andstored for examination purposes.

Electronic evidence:

◆ Is often latent in the same sense as fingerprints or DNA evidence.

◆ Can transcend borders with ease and speed.

◆ Is fragile and can be easily altered, damaged, or destroyed.

◆ Is sometimes time-sensitive.

How Is Electronic Evidence Handled atthe Crime Scene?

Precautions must be taken in the collection, preservation, andexamination of electronic evidence.

Handling electronic evidence at the crime scene normally consistsof the following steps:

◆ Recognition and identification of the evidence.

◆ Documentation of the crime scene.

◆ Collection and preservation of the evidence.

◆ Packaging and transportation of the evidence.

The information in this document assumes that:

◆ The necessary legal authority to search for and seize the suspected evidence has been obtained.

6

◆ The crime scene has been secured and documented (photo-graphically and/or by sketch or notes).

◆ Crime scene protective equipment (gloves, etc.) is being used as necessary.

Note: First responders should use caution when seizing electronicdevices. The improper access of data stored in electronic devicesmay violate provisions of certain Federal laws, including theElectronic Communications Privacy Act. Additional legal processmay be necessary. Please consult your local prosecutor beforeaccessing stored data on a device. Because of the fragile nature ofelectronic evidence, examination should be done by appropriatepersonnel.

Is Your Agency Prepared to HandleElectronic Evidence?

This document recommends that every agency identify local com-puter experts before they are needed. These experts should be “oncall” for situations that are beyond the technical expertise of thefirst responder or department. (Similar services are in place fortoxic waste emergencies.) It is also recommended that investiga-tive plans be developed in compliance with departmental policyand Federal, State, and local laws. In particular, under the PrivacyProtection Act, with certain exceptions, it is unlawful for an agentto search for or seize certain materials possessed by a person rea-sonably believed to have a purpose of disseminating informationto the public. For example, seizure of First Amendment materialssuch as drafts of newsletters or Web pages may implicate thePrivacy Protection Act.

This document may help in:

◆ Assessing resources.

◆ Developing procedures.

◆ Assigning roles and tasks.

◆ Considering officer safety.

◆ Identifying and documenting equipment and supplies to bring to the scene.

7

Electronic Devices: Types andPotential EvidenceElectronic evidence can be found in many of the new types ofelectronic devices available to today’s consumers. This chapterdisplays a wide variety of the types of electronic devices com-monly encountered in crime scenes, provides a general descrip-tion of each type of device, and describes its common uses. Inaddition, it presents the potential evidence that may be found ineach type of equipment.

Many electronic devices contain memory thatrequires continuous power to maintain the informa-tion, such as a battery or AC power. Data can be easily lost by unplugging the power source or allow-

ing the battery to discharge. (Note: After determining the mode ofcollection, collect and store the power supply adaptor or cable, ifpresent, with the recovered device.)

9

Ch

apte

r 1

Printer CPU Location Telephone Diskettes

Monitor

Keyboard

CounterfeitDocuments

Software

Computer Systems

Description: A computer system typically consists of a main baseunit, sometimes called a central processing unit (CPU), data stor-age devices, a monitor, keyboard, and mouse. It may be a stand-alone or it may be connected to a network. There are many typesof computer systems such as laptops, desktops, tower systems,modular rack-mounted systems, minicomputers, and mainframecomputers. Additional components include modems, printers,scanners, docking stations, and external data storage devices. For example, a desktop is a computer system consisting of a case,motherboard, CPU, and data storage, with an external keyboardand mouse.

Primary Uses:For all types of computing functions and information storage, including word processing, calculations,communications, and graphics.

Potential Evidence:Evidence is most commonly found in filesthat are stored on hard drives and storage devices and media.Examples are:

User-Created Files

User-created files may contain important evidence of criminalactivity such as address books and database files that may provecriminal association, still or moving pictures that may be evi-dence of pedophile activity, and communications between crimi-nals such as by e-mail or letters. Also, drug deal lists may oftenbe found in spreadsheets.

◆ Address books. ◆ E-mail files.

◆ Audio/video files. ◆ Image/graphics files.

◆ Calendars. ◆ Internet bookmarks/favorites.

◆ Database files. ◆ Spreadsheet files.

◆ Documents or text files.

10

Computer

Monitor

Laptop

User-Protected Files

Users have the opportunity to hide evidence in a variety of forms.For example, they may encrypt or password-protect data that areimportant to them. They may also hide files on a hard disk orwithin other files or deliberately hide incriminating evidence files under an innocuous name.

◆ Compressed files. ◆ Misnamed files.

◆ Encrypted files. ◆ Password-protected files.

◆ Hidden files. ◆ Steganography.

Evidence can also be found in files and other data areas created as a routine function of the computer’s operating system. In manycases, the user is not aware that data are being written to theseareas. Passwords, Internet activity, and temporary backup files are examples of data that can often be recovered and examined.

Note: There are components of files that may have evidentiaryvalue including the date and time of creation, modification, dele-tion, access, user name or identification, and file attributes. Eventurning the system on can modify some of this information.

Computer-Created Files

◆ Backup files. ◆ Log files.

◆ Configuration files. ◆ Printer spool files.

◆ Cookies. ◆ Swap files.

◆ Hidden files. ◆ System files.

◆ History files. ◆ Temporary files.

Other Data Areas

11

PortReplicator

DockingStation

Server

◆ Bad clusters.

◆ Computer date, time,and password.

◆ Deleted files.

◆ Free space.

◆ Hidden partitions.

◆ Lost clusters.

◆ Metadata.

◆ Other partitions.

◆ Reserved areas.

◆ Slack space.

◆ Software registration information.

◆ System areas.

◆ Unallocated space.

Components

Central Processing Units (CPUs)

Description: Often called the “chip,” it is a microprocessor locat-ed inside the computer. The microprocessor is located in the maincomputer box on a printed circuit board with other electroniccomponents.

Primary Uses: Performs all arithmetic and logical functions inthe computer. Controls the operation of the computer.

Potential Evidence: The device itself may be evidence of component theft, counterfeiting, or remarking.

Memory

Description: Removable circuit board(s) inside the computer.Information stored here is usually not retained when the computeris powered down.

Primary Uses: Stores user’s programs and data while computeris in operation.

Potential Evidence: The device itself may be evidence of component theft, counterfeiting, or remarking.

Access Control Devices

Smart Cards, Dongles, Biometric Scanners

Description: A smart card is a small handheld device that con-tains a microprocessor that is capable of storing a monetary value,encryption key or authentication information (password), digitalcertificate, or other information. A dongle is a small device thatplugs into a computer port that contains types of informationsimilar to information on a smart card. A biometric scanner is adevice connected to a computer system that recognizes physicalcharacteristics of an individual (e.g., fingerprint, voice, retina).

12

PIIIXeonProcessor

PIIIProcessor

G4 Processor

Memory

CPUs

Smart Card

Parallel Dongle

BiometricScanner

Primary Uses:Provides access control to computersor programs or functions as an encryption key.

Potential Evidence:Identification/authenticationinformation of the card and the user, level of access,configurations, permissions, and the device itself.

Answering Machines

Description: An electronic device that is part of a telephone orconnected between a telephone and the landline connection.Some models use a magnetic tape or tapes, while others use an electronic (digital) recording system.

Primary Uses:Records voice messages from callers when thecalled party is unavailable or chooses not to answer a telephonecall. Usually plays a message from the called party before record-ing the message.

Note: Since batteries have a limited life, data could be lost if theyfail. Therefore, appropriate personnel (e.g., evidence custodian,lab chief, forensic examiner) should be informed that a devicepowered by batteries is in need of immediate attention.

Potential Evidence:Answering machines can store voice messages and, in some cases, time and date information aboutwhen the message was left. They may also contain other voicerecordings.

Digital Cameras

Description: Camera, digital recording device for images andvideo, with related storage media and conversion hardware capable of transferring images and video to computer media.

13

USB Dongles ParallelDongle

AnsweringMachine

QuickCam

◆ Caller identification information.

◆ Deleted messages.

◆ Last number called.

◆ Memo.

◆ Phone numbers and names.

◆ Tapes.

Primary Uses:Digital cameras capture imagesand/or video in a digital format that is easilytransferred to computer storage media for viewing and/or editing.

Potential Evidence:

◆ Images. ◆ Time and date stamp.

◆ Removable cartridges. ◆ Video.

◆ Sound.

Handheld Devices (Personal DigitalAssistants [PDAs], ElectronicOrganizers)

Description: A personal digital assistant (PDA) is a small devicethat can include computing, telephone/fax, paging, networking,and other features. It is typically used as a personal organizer. Ahandheld computer approaches the full functionality of a desktopcomputer system. Some do not contain disk drives, but may con-tain PC card slots that can hold a modem, hard drive, or otherdevice. They usually include the ability to synchronize their datawith other computer systems, most commonly by a connection ina cradle (see photo). If a cradle is present, attempt to locate theassociated handheld device.

Primary Uses:Handheld computing, storage, and communica-tion devices capable of storage of information.


Potential Evidence:

14

Snappy Device(video capture

device)

Video Phone

Digital Cameras

Casio PDA

Palm Cradle

Palm inCradle

PDAs

◆ Address book.

◆ Appointment calendars/information.

◆ Documents.

◆ E-mail.

◆ Handwriting.

◆ Password.

◆ Phone book.

◆ Text messages.

◆ Voice messages.

Hard Drives

Description: A sealed box containing rigid platters (disks) coatedwith a substance capable of storing data magnetically. Can beencountered in the case of a PC as well as externally in a stand-alone case.

Primary Uses:Storage of information such as computer programs, text, pictures, video, multimedia files, etc.

Potential Evidence:See potential evidence under computer systems.

Memory Cards

Description: Removable electronic storage devices,which do not lose the information when power isremoved from the card. It may even be possible torecover erased images from memory cards. Memorycards can store hundreds of images in a credit card-size module. Used in a variety of devices, includingcomputers, digital cameras, and PDAs. Examples are memory sticks, smart cards, flash memory,and flash cards.

Primary Uses:Provides additional, removable methods of storing and transporting information.

Potential Evidence:See potential evidence undercomputer systems.

15

2.5-inch IDEHard Drive

(laptop)

5.25-inch IDEHard Drive(QuantumBigfoot)

RemovableHard Drive

Tray

Hard Drive

External HardDrive Pack

3.5-inch IDE HardDrive w/ cover

removed

Microdrive 2.5-inch IDEHard Drive w/

coverremoved

Memory Stick

Flash Card in PCMCIA

Adaptor

Floppy DiskAdaptor/

Memory Stick

CompactFlash Card

Memory Cards

Smart Media Card

Smart MediaFloppy

Modems

Description: Modems, internal and external (analog, DSL, ISDN,cable), wireless modems, PC cards.

Primary Uses:A modem is used to facilitate electronic communi-cation by allowing the computer to access other computers and/ornetworks via a telephone line, wireless, or other communicationsmedium.

Potential Evidence:The device itself.

Network Components

Local Area Network (LAN) Card or NetworkInterface Card (NIC)

Note: These components are indicative of a computernetwork. See discussion on network system evidencein chapter 5 before handling the computer system orany connected devices.

Description: Network cards, associated cables.Network cards also can be wireless.

Primary Uses:A LAN/NIC card is used to connectcomputers. Cards allow for the exchange of informa-tion and resource sharing.

Potential Evidence:The device itself, MAC (media access control) access address.

Routers, Hubs, and Switches

Description: These electronic devices are used in networked computer systems. Routers,switches, and hubs provide a means of connecting different computers or networks.They can frequently be recognized by thepresence of multiple cable connections. 16

InternalNetwork

Interface Card

WirelessNetwork

Interface Card

Wireless PCMCIA

Card

PCMCIANetworkInterface

Card

Router

Ethernet Hub

Wired Hub

ExternalModem

InternalModem

PCMCIAModem

ExternalModem

RicochetModem

WirelessModem

10Mbps or10/100MbpsAutosensingEthernet Hub

PowerAdapter

PowerAdapter

NBG600

Cable orxDSLModem

Standard RJ-45EthernetCable

Primary Uses:Equipment used to distribute and facilitate the distribution of data through networks.

Potential Evidence:The devices them-selves. Also, for routers, configuration files.

Servers

Description: A server is a computer that provides some servicefor other computers connected to it via a network. Any computer,including a laptop, can be configured as a server.

Primary Uses:Provides shared resources such as e-mail, filestorage, Web page services, and print services for a network.


Network Cables and Connectors

Description: Network cables can be different colors, thicknesses,and shapes and have different connectors, depending on thecomponents they are connected to.

Primary Uses:Connects components of a computer network.

Potential Evidence:The devices themselves.

17

Wireless Hub

Server

RJ-11 PhoneCable

RJ45 LANCable & RJ11Phone Cable

SCSI Cable

Parallel PortPrinter Cable

CentronicsPrinter Cable

SCSI Cable UltrawideSCSI Cable

PS2 Cable

Serial Cable& Mouse

PS2 CableWith PS2 AT

Adapter

USB CableWith A&B

Connectors

Audio/VisualCables

NetworkCable Dongle

& PCNetwork Card

Cable orxDSLModem

CableFREEISA/PCI Cardin a Desktop

CableFREEPC Card ina Notebook

NCF600 CableFREENetBlaster

NBG600

StandardRJ-45 EthernetCable

Pagers

Description: A handheld, portable electronic device that can con-tain volatile evidence (telephone numbers, voice mail, e-mail).Cell phones and personal digital assistants also can be used aspaging devices.

Primary Uses:For sending and receiving electronic messages,numeric (phone numbers, etc.) and alphanumeric (text, oftenincluding e-mail).


Potential Evidence:

◆ Address information. ◆ Text messages.

◆ E-mail. ◆ Voice messages.

◆ Phone numbers.

Printers

Description: One of a variety of printing systems, including ther-mal, laser, inkjet, and impact, connected to the computer via a cable(serial, parallel, universal serial bus (USB), firewire) or accessed viaan infrared port. Some printers contain a memory buffer, allowingthem to receive and store multiple page documents while they areprinting. Some models may also contain a hard drive.

Primary Uses:Print text, images, etc., from the computer to paper.

Potential Evidence:Printers may maintain usage logs, time anddate information, and, if attached to a network, they may storenetwork identity information. In addition, unique characteristicsmay allow for identification of a printer.

18

RIM Pager

Single Pager

Pagers

MultifunctionDevice

InkjetPrinter

InkjetPrinter

◆ Documents.

◆ Hard drive.

◆ Ink cartridges.

◆ Network identity/information.

◆ Superimposed images onthe roller.

◆ Time and date stamp.

◆ User usage log.

Removable Storage Devices and Media

Description: Media used to store electrical, magnetic, or digitalinformation (e.g., floppy disks, CDs, DVDs, cartridges, tape).

Primary Uses:Portable devices that can store computer programs, text, pictures, video, multimedia files, etc.

New types of storage devices and media come on the market frequently; these are a few examples of how they appear.


Scanners

Description: An optical device connected to a computer, whichpasses a document past a scanning device (or vice versa) andsends it to the computer as a file.

Primary Uses:Converts documents, pictures, etc., to electronicfiles, which can then be viewed, manipulated, or transmitted on a computer.

Potential Evidence:The device itself may be evidence. Havingthe capability to scan may help prove illegal activity (e.g., childpornography, check fraud, counterfeiting, identity theft). In addi-tion, imperfections such as marks on the glass may allow forunique identification of a scanner used to process documents.

19

SyquestCartridge

External CD-ROM Drive

RecordableCD

Jaz Cartridge Zip Cartridge DAT TapeReader

Tape Drive

LS-120Floppy Disk

External MediaDisk Drive

DLT TapeCartridge

DVD RAMCartridge

External ZipDrive

8mm and4mm Tapes

3.5-inchFloppy

Diskette

FlatbedScanner

SheetfedScanner

HandheldScanner

Telephones

Description: A handset either by itself (as with cell phones), or aremote base station (cordless), or connected directly to the land-line system. Draws power from an internal battery, electricalplug-in, or directly from the telephone system.

Primary Uses:Two-way communication from one instrument toanother, using land lines, radio transmission, cellular systems, ora combination. Phones are capable of storing information.


Potential Evidence:Many telephones can store names, phonenumbers, and caller identification information. Additionally, somecellular telephones can store appointment information, receive elec-tronic mail and pages, and may act as a voice recorder.

◆ Appointment calendars/information.◆ Password.

◆ Caller identification information. ◆ Phone book.

◆ Electronic serial number. ◆ Text messages.

◆ E-mail. ◆ Voice mail.

◆ Memo. ◆ Web browsers.

Miscellaneous Electronic Items

There are many additional types of electronic equip-ment that are too numerous to be listed that might befound at a crime scene. However, there are many non-traditional devices that can be an excellent source ofinvestigative information and/or evidence. Examplesare credit card skimmers, cell phone cloning equip-ment, caller ID boxes, audio recorders, and Web TV.Fax machines, copiers, and multifunction machines may have internal storage devices and may contain information of evidentiary value.

REMINDER: The search of this type of evidence may require a search warrant. See note in the Introduction, page 7.

20

Cordless

CellularPhones

CellularPhone

CloningEquipment

CellularPhone

CloningEquipment

Caller ID Box

Copiers

Some copiers maintain user access records and history of copiesmade. Copiers with the scan once/print many feature allow docu-ments to be scanned once into memory, and then printed later.

Potential Evidence:

◆ Documents. ◆ User usage log.

◆ Time and date stamp.

Credit Card Skimmers

Credit card skimmers are used to read informationcontained on the magnetic stripe on plastic cards.

Potential Evidence:Cardholder information con-tained on the tracks of the magnetic stripe includes:

◆ Card expiration date. ◆ User’s address.

◆ Credit card numbers. ◆ User’s name.

Digital Watches

There are several types of digital watches available that can func-tion as pagers that store digital messages. They may store addi-tional information such as address books, appointment calendars,e-mail, and notes. Some also have the capability of synchronizinginformation with computers.

Potential Evidence:

◆ Address book. ◆ Notes.

◆ Appointment calendars. ◆ Phone numbers.

◆ E-mail.

Facsimile Machines

Facsimile (fax) machines can store preprogrammed phone numbersand a history of transmitted and received documents. In addition,some contain memory allowing multiple-page faxes to be scannedin and sent at a later time as well as allowing incoming faxes to beheld in memory and printed later. Some may store hundreds ofpages of incoming and/or outgoing faxes.

21

Copier

Credit CardSkimmer

Credit CardSkimmer

Credit CardSkimmer—

Laptop

Fax Machine

Potential Evidence:

◆ Documents. ◆ Phone numbers.

◆ Film cartridge. ◆ Send/receive log.

Global Positioning Systems (GPS)

Global Positioning Systems can provide information on previoustravel via destination information, way points, and routes. Someautomatically store the previous destinations and include travellogs.

Potential Evidence:

◆ Home. ◆ Way point coordinates.

◆ Previous destinations. ◆ Way point name.

◆ Travel logs.

22

Investigative Tools and EquipmentPrinciple: Special tools and equipment may be required to collectelectronic evidence. Experience has shown that advances in tech-nology may dictate changes in the tools and equipment required.

Policy: There should be access to the tools and equipment neces-sary to document, disconnect, remove, package, and transportelectronic evidence.

Procedure: Preparations should be made to acquire the equip-ment required to collect electronic evidence. The needed tools andequipment are dictated by each aspect of the process: documenta-tion, collection, packaging, and transportation.

Tool Kit

Departments should have general crime scene processing tools(e.g., cameras, notepads, sketchpads, evidence forms, crime scenetape, markers). The following are additional items that may beuseful at an electronic crime scene.

Documentation Tools

◆ Cable tags.

◆ Indelible felt tip markers.

◆ Stick-on labels.

Disassembly and Removal Tools

A variety of nonmagnetic sizes and types of:

◆ Flat-blade and Philips-type screwdrivers.

◆ Hex-nut drivers.

◆ Needle-nose pliers.

◆ Secure-bit drivers.

◆ Small tweezers.

23

Ch

apte

r 2

◆ Specialized screwdrivers (manufacturer-specific, e.g., Compaq,Macintosh).

◆ Standard pliers.

◆ Star-type nut drivers.

◆ Wire cutters.

Package and Transport Supplies

◆ Antistatic bags.

◆ Antistatic bubble wrap.

◆ Cable ties.

◆ Evidence bags.

◆ Evidence tape.

◆ Packing materials (avoid materials that can produce static electricity such as styrofoam or styrofoam peanuts).

◆ Packing tape.

◆ Sturdy boxes of various sizes.

Other Items

Items that also should be included within a department’s tool kit are:

◆ Gloves.

◆ Hand truck.

◆ Large rubber bands.

◆ List of contact telephone numbers for assistance.

◆ Magnifying glass.

◆ Printer paper.

◆ Seizure disk.

◆ Small flashlight.

◆ Unused floppy diskettes (31/2 and 51/4 inch).

24

Securing and Evaluating theScenePrinciple: The first responder should take steps to ensure thesafety of all persons at the scene and to protect the integrity of all evidence, both traditional and electronic.

Policy: All activities should be in compliance with departmentalpolicy and Federal, State, and local laws. (Additional resourcesare referenced in appendix B.)

Procedure:After securing the scene and all persons on the scene,the first responder should visually identify potential evidence,both conventional (physical) and electronic, and determine if per-ishable evidence exists. The first responder should evaluate thescene and formulate a search plan.

Secure and evaluate the scene:

◆ Follow jurisdictional policy for securing the crime scene. Thiswould include ensuring that all persons are removed from theimmediate area from which evidence is to be collected. At thispoint in the investigation do not alter the condition of any elec-tronic devices:If it is off, leave it off. If it is on, leave it on.

◆ Protect perishable data physically and electronically.Perishable data may be found on pagers, caller ID boxes,electronic organizers, cell phones, and other similar devices.The first responder should always keep in mind that any devicecontaining perishable data should be immediately secured,documented, and/or photographed.

◆ Identify telephone lines attached to devices such as modemsand caller ID boxes. Document, disconnect, and label eachtelephone line from the wall rather than the device, when pos-sible. There may also be other communications lines presentfor LAN/ethernet connections. Consult appropriatepersonnel/agency in these cases.

25

Ch

apte

r 3

Keyboards, the computer mouse, diskettes, CDs, or other compo-nents may have latent fingerprints or other physical evidence thatshould be preserved. Chemicals used in processing latent printscan damage equipment and data. Therefore, latent prints shouldbe collected after electronic evidence recovery is complete.

Conduct preliminary interviews:

◆ Separate and identify all persons (witnesses, subjects, or oth-ers) at the scene and record their location at time of entry.

◆ Consistent with departmental policy and applicable law, obtainfrom these individuals information such as:

❖ Owners and/or users of electronic devices found at thescene, as well as passwords (see below), user names, andInternet service provider.

❖ Passwords. Any passwords required to access the system,software, or data. (An individual may have multiple pass-words, e.g., BIOS, system login, network or ISP, applicationfiles, encryption pass phrase, e-mail, access token, sched-uler, or contact list.)

❖ Purpose of the system.

❖ Any unique security schemes or destructive devices.

❖ Any offsite data storage.

❖ Any documentation explaining the hardware or softwareinstalled on the system.

26

Documenting the ScenePrinciple: Documentation of the scene creates a permanenthistorical record of the scene. Documentation is an ongoingprocess throughout the investigation. It is important to accuratelyrecord the location and condition of computers, storage media,other electronic devices, and conventional evidence.

Policy: Documentation of the scene should be created and main-tained in compliance with departmental policy and Federal, State,and local laws.

Procedure: The scene should be documented in detail.

Initial documentation of the physical scene:

◆ Observe and document the physical scene, such as the positionof the mouse and the location of components relative to eachother (e.g., a mouse on the left side of the computer may indi-cate a left-handed user).

◆ Document the condition and location of the computer system,including power status of the computer (on, off, or in sleepmode). Most computers have status lights that indicate thecomputer is on. Likewise, if fan noise is heard, the system isprobably on. Furthermore, if the computer system is warm,that may also indicate that it is on or was recently turned off.

◆ Identify and document related electronic components that willnot be collected.

◆ Photograph the entire scene to create a visual record as notedby the first responder. The complete room should be recordedwith 360 degrees of coverage, when possible.

◆ Photograph the front of the computer as well as the monitorscreen and other components. Also take written notes on whatappears on the monitor screen. Active programs may requirevideotaping or more extensive documentation of monitorscreen activity.

27

Ch

apte

r 4

Note: Movement of a computer system while the system is run-ning may cause changes to system data. Therefore, the systemshould not be moved until it has been safely powered down asdescribed in chapter 5.

◆ Additional documentation of the system will be performed during the collection phase.

28

Evidence CollectionREMINDER: The search for and collection of evi-dence at an electronic crime scene may require asearch warrant. See note in the Introduction, page 7.

Principle: Computer evidence, like all other evidence, must behandled carefully and in a manner that preserves its evidentiaryvalue. This relates not just to the physical integrity of an item ordevice, but also to the electronic data it contains. Certain types ofcomputer evidence, therefore, require special collection, packag-ing, and transportation. Consideration should be given to protectdata that may be susceptible to damage or alteration from electro-magnetic fields such as those generated by static electricity, mag-nets, radio transmitters, and other devices.

Policy: Electronic evidence should be collected according todepartmental guidelines. In the absence of departmental guide-lines outlining procedures for electronic evidence collection, thefollowing procedures are suggested.

Note: Prior to collection of evidence, it is assumed that locatingand documenting has been done as described in chapters 3 and 4.Recognize that other types of evidence such as trace, biological,or latent prints may exist. Follow your agency’s protocol regard-ing evidence collection. Destructive techniques (e.g., use of fin-gerprint processing chemicals) should be postponed until afterelectronic evidence recovery is done.

Nonelectronic Evidence

Recovery of nonelectronic evidence can be crucial in the investi-gation of electronic crime. Proper care should be taken to ensurethat such evidence is recovered and preserved. Items relevant tosubsequent examination of electronic evidence may exist in otherforms (e.g., written passwords and other handwritten notes, blankpads of paper with indented writing, hardware and software man-uals, calendars, literature, text or graphical computer printouts,and photographs) and should be secured and preserved for future

29

Ch

apte

r 5

30

analysis. These items frequently are in close proximity to thecomputer or related hardware items. All evidence should be iden-tified, secured, and preserved in compliance with departmentalpolicies.

Stand-Alone and Laptop ComputerEvidence

CAUTION: Multiple computers may indicate a computernetwork. Likewise, computers located at businesses areoften networked. In these situations, specialized knowledgeabout the system is required to effectively recover evidenceand reduce your potential for civil liability. When a comput-er network is encountered, contact the forensic computerexpert in your department or outside consultant identifiedby your department for assistance.Computer systems in acomplex environment are addressed later in this chapter.

A “stand-alone” personal computer is a computer not connectedto a network or other computer. Stand-alones may be desktopmachines or laptops.

Laptops incorporate a computer, monitor, keyboard, and mouseinto a single portable unit. Laptops differ from other computers in that they can be powered by electricity or a battery source.Therefore, they require the removal of the battery in addition tostand-alone power-down procedures.

If the computer is on, document existing conditions and call yourexpert or consultant. If an expert or consultant is not available,continue with the following procedure:

Procedure:

After securing the scene per chapter 3, read all steps belowbefore taking any action (or evidentiary data may be altered).

a. Record in notes all actions you take and any changes that youobserve in the monitor, computer, printer, or other peripheralsthat result from your actions.

b. Observe the monitor and determine if it is on, off, or in sleepmode. Then decide which of the following situations appliesand follow the steps for that situation.

Situation 1: Monitor is on and work product and/or desktop is visible.

1. Photograph screen and record information displayed.

2. Proceed to step c.

Situation 2: Monitor is on and screen is blank (sleep mode) orscreen saver (picture) is visible.

1. Move the mouse slightly (without pushing buttons). Thescreen should change and show work product or request apassword.

2. If mouse movement does not cause a change in the screen,DO NOT perform any other keystrokes or mouse operations.

3. Photograph the screen and record the information displayed.

4. Proceed to step c.

Situation 3: Monitor is off.

1. Make a note of “off” status.

2. Turn the monitor on, then determine if the monitor status is asdescribed in either situation 1 or 2 above and follow those steps.

c. Regardless of the power state of the computer (on, off, or sleepmode), remove the power source cable from the computer—NOT from the wall outlet. If dealing with a laptop, in additionto removing the power cord, remove the battery pack. The bat-tery is removed to prevent any power to the system. Some lap-tops have a second battery in the multipurpose bay instead ofa floppy drive or CD drive. Check for this possibility andremove that battery as well.

d. Check for outside connectivity (e.g., telephone modem, cable,ISDN, DSL). If a telephone connection is present, attempt toidentify the telephone number.

e. To avoid damage to potential evidence, remove any floppy disks that are present, package the disk separately, and label the package. If available, insert either a seizure disk or a blankfloppy disk. Do NOT remove CDs or touch the CD drive.

f. Place tape over all the drive slots and over the power connector.

g. Record make, model, and serial numbers.

h. Photograph and diagram the connections of the computer andthe corresponding cables.

31

i. Label all connectors and cable ends (including connections toperipheral devices) to allow for exact reassembly at a latertime. Label unused connection ports as “unused.” Identify lap-top computer docking stations in an effort to identify otherstorage media.

j. Record or log evidence according to departmental procedures.

k. If transport is required, package the components as fragilecargo (see chapter 6).

Computers in a Complex Environment

Business environments frequently have multiple computers con-nected to each other, to a central server, or both. Securing andprocessing a crime scene where the computer systems are net-worked poses special problems, as improper shutdown maydestroy data. This can result in loss of evidence and potentialsevere civil liability. When investigating criminal activity in aknown business environment, the presence of a computer networkshould be planned for in advance, if possible, and appropriateexpert assistance obtained. It should be noted that computer net-works can also be found in a home environment and the sameconcerns exist.

The possibility of various operating systems and complex hard-ware configurations requiring different shutdown proceduresmake the processing of a network crime scene beyond the scopeof this guide. However, it is important that computer networksbe recognized and identified, so that expert assistance can beobtained if one is encountered. Appendix C provides a list oftechnical resources that can be contacted for assistance.

Indications that a computer network may be present include:

◆ The presence of multiple computer systems.

◆ The presence of cables and connectors, such as those depictedin the pictures at left, running between computers or centraldevices such as hubs.

◆ Information provided by informants or individuals at the scene.

◆ The presence of network components as depicted in chapter 1.

32

10Base2Connector

10BaseTConnector

DisconnectHere

DisconnectHere

Other Electronic Devices and Peripheral Evidence

The electronic devices such as the ones in the list below may con-tain potential evidence associated with criminal activity. Unless anemergency exists, the device should not be operated. Should it benecessary to access information from the device, all actions asso-ciated with the manipulation of the device should be documentedto preserve the authenticity of the information. Many of the itemslisted below may contain data that could be lost if not handledproperly. For more detailed information on these devices, seechapter 1.

Examples of other electronic devices (including computer peripherals):

33

◆ Audio recorders.

◆ Answering machines.

◆ Cables.

◆ Caller ID devices.

◆ Cellular telephones.

◆ Chips. (When componentssuch as chips are found inquantity, it may be indicativeof chip theft.)

◆ Copy machines.

◆ Databank/Organizer digital.

◆ Digital cameras (still andvideo).

◆ Dongle or other hardwareprotection devices (keys) forsoftware.

◆ Drive duplicators.

◆ External drives.

◆ Fax machines.

◆ Flash memory cards.

◆ Floppies, diskettes,CD–ROMs.

◆ GPS devices.

◆ Pagers.

◆ Palm Pilots/electronicorganizers.

◆ PCMCIA cards.

◆ Printers (if active, allowto complete printing).

◆ Removable media.

◆ Scanners (film, flatbed,watches,etc.).

◆ Smart cards/secure ID tokens.

◆ Telephones (including speeddialers, etc.).

◆ VCRs.

◆ Wireless access point.

Note: When seizing removable media, ensure that you take theassociated device that created the media (e.g., tape drive, car-tridge drives such as Zip®, Jaz®, ORB, Clik!™, Syquest, LS-120).

Packaging, Transportation, andStoragePrinciple: Actions taken should not add, modify, or destroy datastored on a computer or other media. Computers are fragile elec-tronic instruments that are sensitive to temperature, humidity,physical shock, static electricity, and magnetic sources. Therefore,special precautions should be taken when packaging, transport-ing, and storing electronic evidence. To maintain chain of custodyof electronic evidence, document its packaging, transportation,and storage.

Policy: Ensure that proper procedures are followed for packaging,transporting, and storing electronic evidence to avoid alteration,loss, physical damage, or destruction of data.

Packaging procedure:

a. Ensure that all collected electronic evi-dence is properly documented, labeled,and inventoried before packaging.

b. Pay special attention to latent or trace evidence and take actions to preserve it.

c. Pack magnetic media in antistatic packag-ing (paper or antistatic plastic bags).Avoid using materials that can producestatic electricity, such as standard plasticbags.

d. Avoid folding, bending, or scratchingcomputer media such as diskettes,CD–ROMs, and tapes.

e. Ensure that all containers used to hold evidence are properly labeled.

Note: If multiple computer systems are collected, label each system so that it can be reassembled as found (e.g., SystemA–mouse, keyboard, monitor, main base unit; System B–mouse,keyboard, monitor, main base unit).

35

Ch

apte

r 6

Transportation procedure:

a. Keep electronic evidence away from magnetic sources. Radiotransmitters, speaker magnets, and heated seats are examples of items that can damage electronic evidence.

b. Avoid storing electronic evidence in vehicles for prolongedperiods of time. Conditions of excessive heat, cold, or humiditycan damage electronic evidence.

c. Ensure that computers and other components that are not pack-aged in containers are secured in the vehicle to avoid shockand excessive vibrations. For example, computers may beplaced on the vehicle floor and monitors placed on the seatwith the screen down and secured by a seat belt.

d. Maintain the chain of custody on all evidence transported.

Storage procedure:

a. Ensure that evidence is inventoried in accordance with depart-mental policies.

b. Store evidence in a secure area away from temperature andhumidity extremes. Protect it from magnetic sources, moisture,dust, and other harmful particles or contaminants.

Note: Be aware that potential evidence such as dates, times, andsystems configurations may be lost as a result of prolonged stor-age. Since batteries have a limited life, data could be lost if theyfail. Therefore, appropriate personnel (e.g., evidence custodian,lab chief, forensic examiner) should be informed that a devicepowered by batteries is in need of immediate attention.

36

Forensic Examination by Crime Category The following outline should help officers/investigators identifythe common findings of a forensic examination as they relate tospecific crime categories. This outline will also help define thescope of the examination to be performed. (This information isalso presented as a matrix at the end of this chapter.)

Auction Fraud (Online)

37

Ch

apte

r 7

◆ Account data regardingonline auction sites.

◆ Accounting/bookkeepingsoftware and associated datafiles.

◆ Address books.

◆ Calendar.

◆ Chat logs.

◆ Customer information/creditcard data.

◆ Databases.

◆ Digital camera software.

◆ E-mail/notes/letters.

◆ Financial/asset records.

◆ Image files.

◆ Internet activity logs.

◆ Internet browserhistory/cache files.

◆ Online financial institutionaccess software.

◆ Records/documents of “testimonials.”

◆ Telephone records.

Child Exploitation/Abuse

◆ Chat logs.

◆ Date and time stamps.

◆ Digital camera software.


◆ Games.

◆ Graphic editing and viewingsoftware.

◆ Images.


◆ Movie files.

◆ User-created directory andfile names that classifyimages.

Computer Intrusion

38

◆ Address books.

◆ Configuration files.


◆ Executable programs.


◆ Internet protocol (IP)address and user name.

◆ Internet relay chat (IRC)logs.

◆ Source code.

◆ Text files (user names and passwords).

Death Investigation

◆ Address books.

◆ Diaries.



◆ Images.


◆ Legal documents and wills.

◆ Medical records.


Domestic Violence

◆ Address books.

◆ Diaries.





Economic Fraud (Including OnlineFraud, Counterfeiting)

◆ Address books.

◆ Calendar.

◆ Check, currency, and moneyorder images.

◆ Credit card skimmers.


◆ Databases.


◆ False financial transactionforms.

◆ False identification.


◆ Images of signatures.



E-Mail Threats/Harassment/Stalking

39

◆ Address books.

◆ Diaries.



◆ Images.


◆ Legal documents.


◆ Victim background research.

Extortion

◆ Date and time stamps.


◆ History log.


◆ Temporary Internet files.

◆ User names.

Gambling

◆ Address books.

◆ Calendar.

◆ Customer database andplayer records.


◆ Electronic money.



◆ Image players.



◆ Sports betting statistics.

Identity Theft

◆ Hardware and softwaretools.

❖ Backdrops.

❖ Credit card generators.

❖ Credit card reader/writer.

❖ Digital cameras.

❖ Scanners.

◆ Identification templates.

❖ Birth certificates.

❖ Check cashing cards.

❖ Digital photo images for photo identification.

❖ Driver’s license.

❖ Electronic signatures.

❖ Fictitious vehicle registrations.

❖ Proof of auto insurance documents.

❖ Scanned signatures.

❖ Social security cards.

◆ Internet activity related toID theft.

❖ E-mails and newsgroup postings.

❖ Erased documents.

❖ Online orders.

❖ Online trading information.

❖ System files and file slack.

❖ World Wide Web activity at forgery sites.

◆ Negotiable instruments.

❖ Business checks.

❖ Cashiers checks.

❖ Counterfeit money.

❖ Credit card numbers.

❖ Fictitious court documents.

❖ Fictitious gift certificates.

❖ Fictitious loan documents.

❖ Fictitious sales receipts.

❖ Money orders.

❖ Personal checks.

❖ Stock transfer documents.

❖ Travelers checks.

❖ Vehicle transfer documentation.

40

Narcotics

◆ Address books.

◆ Calendar.

◆ Databases.

◆ Drug recipes.





◆ Prescription form images.

Prostitution

◆ Address books.

◆ Biographies.

◆ Calendar.

◆ Customer database/records.






◆ World Wide Web pageadvertising.

Software Piracy

41

◆ Chat logs.


◆ Image files of software certificates.


◆ Serial numbers.

◆ Software cracking informa-tion and utilities.

◆ User-created directory andfile names that classifycopyrighted software.

Telecommunications Fraud

◆ Cloning software.

◆ Customer database/records.

◆ Electronic Serial Number(ESN)/Mobile IdentificationNumber (MIN) pair records.



◆ “How to phreak” manuals.

◆ Internet activity.


At a physical scene, look for duplication and packaging material.

The following information, when available, should be documented to assist in the forensic examination:

◆ Case summary.

◆ Internet protocoladdress(es).

◆ Keyword lists.

◆ Nicknames.

◆ Passwords.

◆ Points of contact.

◆ Supporting documents.

◆ Type of crime.

42

Child

Exp

loitat

ion/A

buse

Pros

titut

ion

Deat

h Inv

estig

atio

n

Auct

ion

Frau

d Co

mpu

ter I

ntru

sion

Econ

omic

Frau

dGa

mbli

ngId

entit

y The

ftN

arco

tics

Softw

are

Pirac

y

E-M

ail T

hrea

ts/

Hara

ssm

ent/S

talki

ng

Telec

omm

unica

tions

Frau

d

Crimes AgainstPersons

SexCrimes

Dom

estic

Vio

lence

Exto

rtion

Fraud/Other Financial Crime

General Information:Databases ✔ ✔ ✔ ✔ ✔

E-Mail/notes/letters ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Financial/asset records ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Medical records ✔ ✔ ✔

Telephone records ✔ ✔ ✔ ✔ ✔

Specific Information:Account data ✔

Accounting/bookkeepingsoftware ✔

Address books ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Backdrops ✔

Biographies ✔

Birth certificates ✔

Calendar ✔ ✔ ✔ ✔ ✔

Chat logs ✔ ✔ ✔

Check, currency, and money order images ✔ ✔

Check cashing cards ✔

Cloning software ✔

Configuration files ✔

Counterfeit money ✔

Credit card generators ✔

Credit card numbers ✔

Credit card reader/writer ✔

Credit card skimmers ✔

Customer database/ records ✔ ✔ ✔

Customer information/credit card data ✔ ✔ ✔

Date and time stamps ✔ ✔

Diaries ✔ ✔ ✔

Digital cameras/software/images ✔ ✔ ✔

Driver’s license ✔

Drug recipes ✔

Electronic money ✔

Electronic signatures ✔

43

Child

Exp

loitat

ion/A

buse

Pros

titut

ion

Deat

h Inv

estig

atio

n

Auct

ion

Frau

d

Com

pute

r Int

rusio

n

Econ

omic

Frau

dGa

mbli

ngId

entit

y The

ftN

arco

tics

Softw

are

Pirac

y

E-M

ail T

hrea

ts/

Hara

ssm

ent/S

talki

ng

Telec

omm

unica

tions

Frau

d

Crimes AgainstPersons

SexCrimes

Dom

estic

Vio

lence

Exto

rtion

Fraud/Other Financial Crime

(Continued)

Specific Information (Cont):Erased Internet

documents ✔

ESN/MIN pair records ✔

Executable programs ✔

False financial transaction forms ✔

False identification ✔ ✔ ✔

Fictitious court documents ✔

Fictitious gift certificates ✔

Fictitious loan documents ✔

Fictitious sales receipts ✔

Fictitious vehicle registrations ✔

Games ✔

Graphic editing and viewing software ✔

History log ✔

“How to phreak” manuals ✔

Images ✔ ✔ ✔ ✔

Images of signatures ✔

Image files of software certificates ✔

Image players ✔

Internet activity logs ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Internet browser history/cache files ✔

IP address and user name ✔

IRC chat logs ✔

Legal documents and wills ✔ ✔

Movie files ✔

Online financial institution access software ✔ ✔ ✔

Online orders and trading information ✔

Prescription form images ✔

Records/documents of “testimonials” ✔

44

Child

Exp

loitat

ion/A

buse

Pros

titut

ion

Deat

h Inv

estig

atio

n

Auct

ion

Frau

d

Com

pute

r Int

rusio

n

Econ

omic

Frau

dGa

mbli

ngId

entit

y The

ftN

arco

tics

Softw

are

Pirac

y

E-M

ail T

hrea

ts/

Hara

ssm

ent/S

talki

A Guide for First Responders · Project Engineer National Law Enforcement and Corrections...

Documents

Transcript of A Guide for First Responders · Project Engineer National Law Enforcement and Corrections...